An XSS flaw in GitLab allows attackers to take over accounts

Pierluigi Paganini May 24, 2024

GitLab addressed a high-severity cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to take over user accounts.

GitLab fixed a high-severity XSS vulnerability, tracked as CVE-2024-4835, that allows attackers to take over user accounts.

An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information.

The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.

The flaw was addressed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

“A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1.” reads the advisory published by the company. “By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.”

matanber reported this vulnerability through our HackerOne bug bounty program, he received a $10,270 bounty.

Below is the list of vulnerabilities addressed by the company:

TitleSeverity
1-click account takeover via XSS leveraging the VS code editor (Web IDE)High
A DOS vulnerability in the ‘description’ field of the runnerMedium
CSRF via K8s cluster-integrationMedium
Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not matchMedium
Redos on wiki render API/PageMedium
Resource exhaustion and denial of service with test_report API callsMedium
Guest user can view dependency lists of private projects through job artifactsMedium

In early May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, XSS)



you might also like

leave a comment